GitLab unveils latest flaw list, include vulnerability page leak

GitLab unveils latest flaw list, include vulnerability page leak
Gitlab Logo

GitLab has advised its users of a slew of “important” security fixes to its community and enterprise versions, and said just released updates should be applied “immediately”.

The DevOps/everything vendor shipped its 12.9 release on Monday, flagging up new features focused on security and visibility, including better HashiCorp Vault integration, and improved container scanning processes.

But ensuring security is a never-ending struggle, and yesterday it flagged up a stack of flaws across its versions, and has shipped versions 12.9.1, 12.8.8 and 12.7.8 to zap the bugs.

Top of its list of 17 flaws in total, was the possibility of an arbitrary local file read when moving issues between projects. This affected versions 8.5 and later of both the community and enterprise editions.

Also caught was a bug that could allow a path traversal in the NPM Package Registry. It has not specified which versions are affected.

Meanwhile, insufficient access verification could lead to unauthorized creation of personal snippets through the API by an external user, though again, it has not specified which versions are affected.. 

And another flaw meant that “under certain circumstances a blocked user still had the ability to pull images from the internal container registry of any projects to which the user had access.” This affected versions 8.11 and later.

And, ironically perhaps, a flaw in 10.8 and later meant “the vulnerability feedback page was leaking metadata and comments on vulnerabilities to unauthorized users”.

You can see the full list of vulnerabilities and find your way to the fixes here.